New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not run npm audit on npm install #7144
Comments
I agree, this is confusing the users since they should not really do anything. Specially in its current form. But I'm not sure if someone could add a Thus could we somehow make it so that any vulnerabilities are reported in a way that by default there is a message:
And then if we could provide more details when the logging level is DEBUG, by executing npm audit ? Or something better ? |
Acceptance Criteria
We might use |
I can't figure out why we would not pick this for 2.1, it might be an improvement, but then again showing the audit log message to the users makes no sense as they can't react to it - so I'd claim that this is a bug that was fixed. |
Currently there is a following report because of #7121
This report is confusing and we don't want users to be alarmed with these warnings:
Vaadin users don't have to do anything. Using
npm audit fix
is not a valid solution because Flow managespackage.json
on its own and the local changes would be overriddenTypically the vulnerabilities only matter for the projects that have Node.js runtime. We only use Node for building with
webpack
so in most of cases we would be unaffected.The solution would be to add
--no-audit
flag which turns the audit off.The text was updated successfully, but these errors were encountered: